Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libssl: Load only the ciphers and digests needed for TLS, not all of them #11166

Merged
merged 1 commit into from Jan 14, 2022
Merged

libssl: Load only the ciphers and digests needed for TLS, not all of them #11166

merged 1 commit into from Jan 14, 2022

Conversation

rgacogne
Copy link
Member

Short description

OPENSSL_init_crypto(), added in 1.1.0, loads all available ciphers and digests by default. Since we only need the TLS-related ones, that only increases the startup time and the memory usage.

Before:

OPENSSL_INIT: ossl_init_base: Setting up stop handlers
OPENSSL_INIT: ossl_init_register_atexit()
OPENSSL_INIT: ossl_init_load_crypto_nodelete()
OPENSSL_INIT: openssl_config_int((null), (null), 50)
OPENSSL_INIT: ossl_init_engine_rdrand: engine_load_rdrand_int()
OPENSSL_INIT: ossl_init_thread_start: marking thread for err_state
OPENSSL_INIT: ossl_init_load_crypto_strings: err_load_crypto_strings_int()
OPENSSL_INIT: ossl_init_engine_dynamic: engine_load_dynamic_int()
OPENSSL_INIT: ossl_init_add_all_ciphers: openssl_add_all_ciphers_int()
OPENSSL_INIT: ossl_init_add_all_digests: openssl_add_all_digests()
OPENSSL_INIT: ossl_init_ssl_base: Adding SSL ciphers and digests
OPENSSL_INIT: ossl_init_ssl_base: SSL_COMP_get_compression_methods()
OPENSSL_INIT: ossl_init_ssl_base: SSL_add_ssl_module()
OPENSSL_INIT: ossl_init_load_ssl_strings: ERR_load_SSL_strings()
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand

After:

OPENSSL_INIT: ossl_init_base: Setting up stop handlers
OPENSSL_INIT: ossl_init_register_atexit()
OPENSSL_INIT: ossl_init_load_crypto_nodelete()
OPENSSL_INIT: openssl_config_int((null), (null), 50)
OPENSSL_INIT: ossl_init_engine_rdrand: engine_load_rdrand_int()
OPENSSL_INIT: ossl_init_thread_start: marking thread for err_state
OPENSSL_INIT: ossl_init_load_crypto_strings: err_load_crypto_strings_int()
OPENSSL_INIT: ossl_init_engine_dynamic: engine_load_dynamic_int()
OPENSSL_INIT: ossl_init_ssl_base: Adding SSL ciphers and digests
OPENSSL_INIT: ossl_init_ssl_base: SSL_COMP_get_compression_methods()
OPENSSL_INIT: ossl_init_ssl_base: SSL_add_ssl_module()
OPENSSL_INIT: ossl_init_load_ssl_strings: ERR_load_SSL_strings()
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne
libssl: Load only the ciphers and digests needed for TLS, not all of …
719a2ee 
…them

OPENSSL_init_crypto(), added in 1.1.0, loads all available ciphers
and digests by default. Since we only need the TLS-related ones,
that only increases the startup time and the memory usage.

Before:
```
OPENSSL_INIT: ossl_init_base: Setting up stop handlers
OPENSSL_INIT: ossl_init_register_atexit()
OPENSSL_INIT: ossl_init_load_crypto_nodelete()
OPENSSL_INIT: openssl_config_int((null), (null), 50)
OPENSSL_INIT: ossl_init_engine_rdrand: engine_load_rdrand_int()
OPENSSL_INIT: ossl_init_thread_start: marking thread for err_state
OPENSSL_INIT: ossl_init_load_crypto_strings: err_load_crypto_strings_int()
OPENSSL_INIT: ossl_init_engine_dynamic: engine_load_dynamic_int()
OPENSSL_INIT: ossl_init_add_all_ciphers: openssl_add_all_ciphers_int()
OPENSSL_INIT: ossl_init_add_all_digests: openssl_add_all_digests()
OPENSSL_INIT: ossl_init_ssl_base: Adding SSL ciphers and digests
OPENSSL_INIT: ossl_init_ssl_base: SSL_COMP_get_compression_methods()
OPENSSL_INIT: ossl_init_ssl_base: SSL_add_ssl_module()
OPENSSL_INIT: ossl_init_load_ssl_strings: ERR_load_SSL_strings()
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
```

After:
```
OPENSSL_INIT: ossl_init_base: Setting up stop handlers
OPENSSL_INIT: ossl_init_register_atexit()
OPENSSL_INIT: ossl_init_load_crypto_nodelete()
OPENSSL_INIT: openssl_config_int((null), (null), 50)
OPENSSL_INIT: ossl_init_engine_rdrand: engine_load_rdrand_int()
OPENSSL_INIT: ossl_init_thread_start: marking thread for err_state
OPENSSL_INIT: ossl_init_load_crypto_strings: err_load_crypto_strings_int()
OPENSSL_INIT: ossl_init_engine_dynamic: engine_load_dynamic_int()
OPENSSL_INIT: ossl_init_ssl_base: Adding SSL ciphers and digests
OPENSSL_INIT: ossl_init_ssl_base: SSL_COMP_get_compression_methods()
OPENSSL_INIT: ossl_init_ssl_base: SSL_add_ssl_module()
OPENSSL_INIT: ossl_init_load_ssl_strings: ERR_load_SSL_strings()
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
```
@rgacogne rgacogne merged commit e70c482 into PowerDNS:master Jan 14, 2022
@rgacogne rgacogne deleted the ddist-load-tls-algos-only branch January 14, 2022 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omoerbeek omoerbeek omoerbeek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rgacogne @omoerbeek